To
control access to WebSphere
® Application
Server for z/OS resources:
- As a general
rule, give greater authority to controllers and
less authority to servants.
Table 1. Level of trust and authority
for regions. This table indicates the level of trust
and authority for regions.
Region |
Level
of trust and access authority |
Controller |
Note: - Contains WebSphere Application
Server for z/OS system
code.
- Trusted, runs APF-authorized
- Contains communication
ports and manipulation of System Authorization
Facility (SAF) client identities
|
Servant |
Note: - Contains WebSphere Application
Server for z/OS system
code, application code, and pluggable service providers (such as
jdbc drivers)
- Supports Java 2
Security to protect sensitive
data and system services
- Untrusted
|
- Regarding the WebSphere Application
Server
for z/OS run-time clusters, the general rule is
to give less authority to the location service daemon, and greater
authority to the node, as explained in the table below:
Table 2. Assigning authorities to WebSphere Application
Server for z/OS run-time cluster control and servants . This table lists the required authorities for z/OS run-time
cluster control and servants.
Run-time
Cluster |
Region |
Required Authorities |
Location
service daemon |
Control |
- STARTED class
- Access
to Workload Manager (WLM) services
- Access to DNS
- OPERCMDS
access to START, STOP, CANCEL, FORCE, and MODIFY other
clusters
- IRR.DIGTCERT.LIST and IRR.DIGCERT.LISTRING in FACILITY
(SSL)
|
Node |
Control |
STARTED class |
Controller |
Control |
- SSL
- Kerberos
- READ authority to the
SERVER class,
- OPERCMDS access to START, STOP, CANCEL, FORCE
and MODIFY other
servers
|
Servant |
Control |
The
following classes: - OTMA
- SERVER
- DSNR,
- DATASET
- SURROGATE
- STARTED
- LOGSTREEAM
|
- Remember to protect the Resource
Recovery Services (RRS) log streams.
By default, UACC is READ.
- Protect the WebSphere Application
Server for z/OS properties
XML files, especially if they contain passwords. For more information,
see the WebSphere Application Server variables
in the administrative console or the documentation.
- Deployment
Manager also needs permission to start and stop servers.